Security Operations Fundamentals > [T4]: Perform Windows Security Assessments with CIS-CAT Lite
CIS Benchmark
We explored benchmarks and presented CIS
Benchmarks. Let's have a quick look at "CIS-CAT Lite," a tool to
perform security assessments on your Windows system and generate a
findings report.
According to CIS:
"CIS-CAT Lite is a free
assessment tool developed by the CIS (Center for Internet
Security, Inc.). CIS-CAT Lite helps users implement secure
configurations for multiple technologies. With unlimited
scans available via CIS-CAT Lite, your organization can
download and start implementing CIS Benchmarks in
minutes."
First, go to this link, fill out the
form, and you should receive an email with the download link in your
inbox. You may use any Windows 10 machine for this exercise.
Figure - zoom in
Download and extract the project
files:
Figure - zoom in
Figure - zoom in
Figure - zoom in
Select a benchmark and a profile. As you can see,
there is a single benchmark for Windows 10 with multiple profiles.
Most CIS Benchmarks include multiple configuration profiles. Each
profile represents a different level of security. We can see the
selected profile belongs to implementation group
1.
Implementation Groups (IGs) are the recommended guidance to
prioritize the implementation of the CIS Critical
Security Controls (CIS Controls). CIS Controls defines
Implementation Group 1 (IG1) as essential cyber hygiene and
represents an emerging minimum standard of information security
for all enterprises. IG1 is the on-ramp to the CIS Controls and
consists of a foundational set of 56 cyber defense Safeguards.
The Safeguards included in IG1 are what every enterprise should
apply to defend against the most common attacks.
In most cases, an IG1 enterprise is typically small to
medium-sized with limited IT and cybersecurity expertise to
protect IT assets and personnel. A common concern of these
enterprises is to keep the business operational, as they have
limited tolerance for downtime. The sensitivity of the data they
are trying to protect is low and principally surrounds employee
and financial information. Safeguards selected for IG1 should be
implementable with limited cybersecurity expertise and aimed to
thwart general non-targeted attacks.
Figure - zoom in
The tool may ask for your input about specific configurations, so
you'll need to answer a few interactive questions before you get
started. Remember what we keep mentioning throughout the course that
no one fits all? Each organization has different requirements and
business needs.
Figure - zoom in
Figure - zoom in
Figure - zoom in
The tool will assess the host
Windows 10 machine against the selected benchmark and show the
progress of the assessment process.
Figure - zoom in
At the end of the exercise, the
tool will generate a report with all findings that you can
select and view by clicking the "View HTML."
Figure - zoom in
Figure - zoom in
The generated report includes a summary along with a detailed list of passed and failed checks. Passed checks are the security recommendations and controls implemented on the scanned machine, while the failed ones represent incompliant areas.
For example, as per the below report, the
scanned machine has the default password set; hence it
failed that check.
Figure - zoom in
To see the report's content in detail, please look at this sample report. One thing worth noting is that CIS has a pro/paid version of the tool you run via Command Line Interface CLI, and it will automatically fetch existing configurations without needing to manually go through the yes/no questions in the Lite version.